Integration / OpenCode

Let OpenCode sign up for websites and keep API keys out of context

Connect Trusty Squire as a local OpenCode MCP server. OpenCode plans the development job while Trusty Squire operates the real website and stores generated credentials behind a write-only boundary.

npx @trusty-squire/mcp connect --target=opencodeInstallation guide →
01

Ask for the outcome

Use Trusty Squire to sign up for Resend and wire the API key into my app.

OpenCode keeps the application goal in view while Trusty Squire completes the supported website flow and saves the generated key.

Set up Clerk without putting its secret key in this chat or .env.

The provider credential is captured into the encrypted vault instead of being returned as model-visible plaintext.

Sign in to Sentry and configure the webhook this project needs.

OpenCode can plan authenticated setup work while Trusty Squire handles the real browser session.
02

How it works

  1. 01

    Run the OpenCode target

    The connect command signs this machine in and adds a local squire server to OpenCode's effective global JSON or JSONC configuration.

  2. 02

    Restart OpenCode

    Start a fresh OpenCode session so it connects to the server and loads the Trusty Squire MCP tools.

  3. 03

    Ask for the website outcome

    Name the service and the setup your application needs. OpenCode plans the work and calls Trusty Squire for browser and credential operations.

03

What to know

Your OpenCode settings and comments stay intact

OpenCode normally reads ~/.config/opencode/opencode.json or opencode.jsonc. The installer respects custom OPENCODE_CONFIG and XDG_CONFIG_HOME locations, then makes a targeted JSONC-aware edit. It preserves surrounding comments, models, providers, permissions, plugins, and unrelated MCP servers while refreshing the managed squireentry. That entry uses OpenCode's command-array format and a 30-second startup timeout. Account and session tokens are never written to this configuration.

Control when the MCP tools are available

OpenCode exposes enabled MCP tools to the model. Set the squire server's enabled field to false when you do not need it, or use an OpenCode permission such as "squire_*": "ask" when you want approval before its tool calls. The installer does not overwrite your permission policy.

The provider key remains behind the vault boundary

Trusty Squire's credential tools return references and authenticated results, not stored plaintext. The provider key does not need to enter OpenCode's transcript, generated source, or local .env. Browser diagnostics can still contain whatever a website visibly renders, so avoid re-observing a page after it displays a secret.

Does Trusty Squire work with OpenCode?

Yes. Trusty Squire runs as a local stdio MCP server, and the connect command adds it to OpenCode's global MCP configuration.

Where does Trusty Squire configure OpenCode?

It updates the effective OpenCode global JSON or JSONC config, respecting OPENCODE_CONFIG and XDG_CONFIG_HOME. Existing settings, surrounding comments, and other MCP servers are preserved.

Can OpenCode use an API key without putting it in .env?

Yes. Trusty Squire's credential tools use vault references and server-side injection instead of returning the stored provider key to OpenCode. A separately issued app grant token can enter context and must still be handled as a backend secret.

Can OpenCode automate every website signup?

No. Trusty Squire stops when a site requires a phone, hard CAPTCHA, payment, or a decision that belongs to a person instead of guessing or claiming success.

04